Skip to content

Commit f51841a

Browse files
rdmarsh2rdmarsh2
authored
Merge pull request github#2736 from jbj/buffer-type-size
C++: Workaround for problem with memcpy flow
2 parents 2b10cd6 + 3e2b032 commit f51841a

File tree

6 files changed

+215
-2
lines changed

6 files changed

+215
-2
lines changed

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ private predicate hasResultMemoryAccess(
2626
type = languageType.getIRType() and
2727
isIndirectOrBufferMemoryAccess(instr.getResultMemoryAccess()) and
2828
(if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
29-
if exists(type.getByteSize())
29+
if type.getByteSize() > 0
3030
then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
3131
else endBitOffset = Ints::unknown()
3232
)
@@ -43,7 +43,7 @@ private predicate hasOperandMemoryAccess(
4343
type = languageType.getIRType() and
4444
isIndirectOrBufferMemoryAccess(operand.getMemoryAccess()) and
4545
(if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
46-
if exists(type.getByteSize())
46+
if type.getByteSize() > 0
4747
then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8))
4848
else endBitOffset = Ints::unknown()
4949
)

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1083,3 +1083,56 @@ ssa.cpp:
10831083
# 239| v239_5(void) = UnmodeledUse : mu*
10841084
# 239| v239_6(void) = AliasedUse : ~m244_5
10851085
# 239| v239_7(void) = ExitFunction :
1086+
1087+
# 247| char* VoidStarIndirectParameters(char*, int)
1088+
# 247| Block 0
1089+
# 247| v247_1(void) = EnterFunction :
1090+
# 247| m247_2(unknown) = AliasedDefinition :
1091+
# 247| mu247_3(unknown) = UnmodeledDefinition :
1092+
# 247| r247_4(glval<char *>) = VariableAddress[src] :
1093+
# 247| m247_5(char *) = InitializeParameter[src] : &:r247_4
1094+
# 247| r247_6(char *) = Load : &:r247_4, m247_5
1095+
# 247| m247_7(unknown) = InitializeIndirection[src] : &:r247_6
1096+
# 247| r247_8(glval<int>) = VariableAddress[size] :
1097+
# 247| m247_9(int) = InitializeParameter[size] : &:r247_8
1098+
# 248| r248_1(glval<char *>) = VariableAddress[dst] :
1099+
# 248| r248_2(glval<unknown>) = FunctionAddress[operator new[]] :
1100+
# 248| r248_3(glval<int>) = VariableAddress[size] :
1101+
# 248| r248_4(int) = Load : &:r248_3, m247_9
1102+
# 248| r248_5(unsigned long) = Convert : r248_4
1103+
# 248| r248_6(unsigned long) = Constant[1] :
1104+
# 248| r248_7(unsigned long) = Mul : r248_5, r248_6
1105+
# 248| r248_8(void *) = Call : func:r248_2, 0:r248_7
1106+
# 248| m248_9(unknown) = ^CallSideEffect : ~m247_7
1107+
# 248| m248_10(unknown) = Chi : total:m247_7, partial:m248_9
1108+
# 248| r248_11(char *) = Convert : r248_8
1109+
# 248| m248_12(char *) = Store : &:r248_1, r248_11
1110+
# 249| r249_1(char) = Constant[97] :
1111+
# 249| r249_2(glval<char *>) = VariableAddress[src] :
1112+
# 249| r249_3(char *) = Load : &:r249_2, m247_5
1113+
# 249| r249_4(glval<char>) = CopyValue : r249_3
1114+
# 249| m249_5(char) = Store : &:r249_4, r249_1
1115+
# 249| m249_6(unknown) = Chi : total:m248_10, partial:m249_5
1116+
# 250| r250_1(glval<unknown>) = FunctionAddress[memcpy] :
1117+
# 250| r250_2(glval<char *>) = VariableAddress[dst] :
1118+
# 250| r250_3(char *) = Load : &:r250_2, m248_12
1119+
# 250| r250_4(void *) = Convert : r250_3
1120+
# 250| r250_5(glval<char *>) = VariableAddress[src] :
1121+
# 250| r250_6(char *) = Load : &:r250_5, m247_5
1122+
# 250| r250_7(void *) = Convert : r250_6
1123+
# 250| r250_8(glval<int>) = VariableAddress[size] :
1124+
# 250| r250_9(int) = Load : &:r250_8, m247_9
1125+
# 250| r250_10(void *) = Call : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
1126+
# 250| v250_11(void) = ^SizedBufferReadSideEffect[1] : &:r250_7, r250_9, ~m249_6
1127+
# 250| m250_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
1128+
# 250| m250_13(unknown) = Chi : total:m249_6, partial:m250_12
1129+
# 251| r251_1(glval<char *>) = VariableAddress[#return] :
1130+
# 251| r251_2(glval<char *>) = VariableAddress[dst] :
1131+
# 251| r251_3(char *) = Load : &:r251_2, m248_12
1132+
# 251| m251_4(char *) = Store : &:r251_1, r251_3
1133+
# 247| v247_10(void) = ReturnIndirection : &:r247_6, ~m250_13
1134+
# 247| r247_11(glval<char *>) = VariableAddress[#return] :
1135+
# 247| v247_12(void) = ReturnValue : &:r247_11, m251_4
1136+
# 247| v247_13(void) = UnmodeledUse : mu*
1137+
# 247| v247_14(void) = AliasedUse : ~m250_13
1138+
# 247| v247_15(void) = ExitFunction :

cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1078,3 +1078,56 @@ ssa.cpp:
10781078
# 239| v239_5(void) = UnmodeledUse : mu*
10791079
# 239| v239_6(void) = AliasedUse : ~m244_5
10801080
# 239| v239_7(void) = ExitFunction :
1081+
1082+
# 247| char* VoidStarIndirectParameters(char*, int)
1083+
# 247| Block 0
1084+
# 247| v247_1(void) = EnterFunction :
1085+
# 247| m247_2(unknown) = AliasedDefinition :
1086+
# 247| mu247_3(unknown) = UnmodeledDefinition :
1087+
# 247| r247_4(glval<char *>) = VariableAddress[src] :
1088+
# 247| m247_5(char *) = InitializeParameter[src] : &:r247_4
1089+
# 247| r247_6(char *) = Load : &:r247_4, m247_5
1090+
# 247| m247_7(unknown) = InitializeIndirection[src] : &:r247_6
1091+
# 247| r247_8(glval<int>) = VariableAddress[size] :
1092+
# 247| m247_9(int) = InitializeParameter[size] : &:r247_8
1093+
# 248| r248_1(glval<char *>) = VariableAddress[dst] :
1094+
# 248| r248_2(glval<unknown>) = FunctionAddress[operator new[]] :
1095+
# 248| r248_3(glval<int>) = VariableAddress[size] :
1096+
# 248| r248_4(int) = Load : &:r248_3, m247_9
1097+
# 248| r248_5(unsigned long) = Convert : r248_4
1098+
# 248| r248_6(unsigned long) = Constant[1] :
1099+
# 248| r248_7(unsigned long) = Mul : r248_5, r248_6
1100+
# 248| r248_8(void *) = Call : func:r248_2, 0:r248_7
1101+
# 248| m248_9(unknown) = ^CallSideEffect : ~m247_2
1102+
# 248| m248_10(unknown) = Chi : total:m247_2, partial:m248_9
1103+
# 248| r248_11(char *) = Convert : r248_8
1104+
# 248| m248_12(char *) = Store : &:r248_1, r248_11
1105+
# 249| r249_1(char) = Constant[97] :
1106+
# 249| r249_2(glval<char *>) = VariableAddress[src] :
1107+
# 249| r249_3(char *) = Load : &:r249_2, m247_5
1108+
# 249| r249_4(glval<char>) = CopyValue : r249_3
1109+
# 249| m249_5(char) = Store : &:r249_4, r249_1
1110+
# 249| m249_6(unknown) = Chi : total:m247_7, partial:m249_5
1111+
# 250| r250_1(glval<unknown>) = FunctionAddress[memcpy] :
1112+
# 250| r250_2(glval<char *>) = VariableAddress[dst] :
1113+
# 250| r250_3(char *) = Load : &:r250_2, m248_12
1114+
# 250| r250_4(void *) = Convert : r250_3
1115+
# 250| r250_5(glval<char *>) = VariableAddress[src] :
1116+
# 250| r250_6(char *) = Load : &:r250_5, m247_5
1117+
# 250| r250_7(void *) = Convert : r250_6
1118+
# 250| r250_8(glval<int>) = VariableAddress[size] :
1119+
# 250| r250_9(int) = Load : &:r250_8, m247_9
1120+
# 250| r250_10(void *) = Call : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
1121+
# 250| v250_11(void) = ^SizedBufferReadSideEffect[1] : &:r250_7, r250_9, ~m249_6
1122+
# 250| m250_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
1123+
# 250| m250_13(unknown) = Chi : total:m248_10, partial:m250_12
1124+
# 251| r251_1(glval<char *>) = VariableAddress[#return] :
1125+
# 251| r251_2(glval<char *>) = VariableAddress[dst] :
1126+
# 251| r251_3(char *) = Load : &:r251_2, m248_12
1127+
# 251| m251_4(char *) = Store : &:r251_1, r251_3
1128+
# 247| v247_10(void) = ReturnIndirection : &:r247_6, ~m249_6
1129+
# 247| r247_11(glval<char *>) = VariableAddress[#return] :
1130+
# 247| v247_12(void) = ReturnValue : &:r247_11, m251_4
1131+
# 247| v247_13(void) = UnmodeledUse : mu*
1132+
# 247| v247_14(void) = AliasedUse : ~m250_13
1133+
# 247| v247_15(void) = ExitFunction :

cpp/ql/test/library-tests/ir/ssa/ssa.cpp

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,3 +243,10 @@ void ExplicitConstructorCalls() {
243243
Constructible c2 = Constructible(2);
244244
c2.g();
245245
}
246+
247+
char *VoidStarIndirectParameters(char *src, int size) {
248+
char *dst = new char[size];
249+
*src = 'a';
250+
memcpy(dst, src, size);
251+
return dst;
252+
}

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1026,3 +1026,53 @@ ssa.cpp:
10261026
# 239| v239_5(void) = UnmodeledUse : mu*
10271027
# 239| v239_6(void) = AliasedUse : ~mu239_3
10281028
# 239| v239_7(void) = ExitFunction :
1029+
1030+
# 247| char* VoidStarIndirectParameters(char*, int)
1031+
# 247| Block 0
1032+
# 247| v247_1(void) = EnterFunction :
1033+
# 247| mu247_2(unknown) = AliasedDefinition :
1034+
# 247| mu247_3(unknown) = UnmodeledDefinition :
1035+
# 247| r247_4(glval<char *>) = VariableAddress[src] :
1036+
# 247| m247_5(char *) = InitializeParameter[src] : &:r247_4
1037+
# 247| r247_6(char *) = Load : &:r247_4, m247_5
1038+
# 247| mu247_7(unknown) = InitializeIndirection[src] : &:r247_6
1039+
# 247| r247_8(glval<int>) = VariableAddress[size] :
1040+
# 247| m247_9(int) = InitializeParameter[size] : &:r247_8
1041+
# 248| r248_1(glval<char *>) = VariableAddress[dst] :
1042+
# 248| r248_2(glval<unknown>) = FunctionAddress[operator new[]] :
1043+
# 248| r248_3(glval<int>) = VariableAddress[size] :
1044+
# 248| r248_4(int) = Load : &:r248_3, m247_9
1045+
# 248| r248_5(unsigned long) = Convert : r248_4
1046+
# 248| r248_6(unsigned long) = Constant[1] :
1047+
# 248| r248_7(unsigned long) = Mul : r248_5, r248_6
1048+
# 248| r248_8(void *) = Call : func:r248_2, 0:r248_7
1049+
# 248| mu248_9(unknown) = ^CallSideEffect : ~mu247_3
1050+
# 248| r248_10(char *) = Convert : r248_8
1051+
# 248| m248_11(char *) = Store : &:r248_1, r248_10
1052+
# 249| r249_1(char) = Constant[97] :
1053+
# 249| r249_2(glval<char *>) = VariableAddress[src] :
1054+
# 249| r249_3(char *) = Load : &:r249_2, m247_5
1055+
# 249| r249_4(glval<char>) = CopyValue : r249_3
1056+
# 249| mu249_5(char) = Store : &:r249_4, r249_1
1057+
# 250| r250_1(glval<unknown>) = FunctionAddress[memcpy] :
1058+
# 250| r250_2(glval<char *>) = VariableAddress[dst] :
1059+
# 250| r250_3(char *) = Load : &:r250_2, m248_11
1060+
# 250| r250_4(void *) = Convert : r250_3
1061+
# 250| r250_5(glval<char *>) = VariableAddress[src] :
1062+
# 250| r250_6(char *) = Load : &:r250_5, m247_5
1063+
# 250| r250_7(void *) = Convert : r250_6
1064+
# 250| r250_8(glval<int>) = VariableAddress[size] :
1065+
# 250| r250_9(int) = Load : &:r250_8, m247_9
1066+
# 250| r250_10(void *) = Call : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
1067+
# 250| v250_11(void) = ^SizedBufferReadSideEffect[1] : &:r250_7, r250_9, ~mu247_3
1068+
# 250| mu250_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
1069+
# 251| r251_1(glval<char *>) = VariableAddress[#return] :
1070+
# 251| r251_2(glval<char *>) = VariableAddress[dst] :
1071+
# 251| r251_3(char *) = Load : &:r251_2, m248_11
1072+
# 251| m251_4(char *) = Store : &:r251_1, r251_3
1073+
# 247| v247_10(void) = ReturnIndirection : &:r247_6, ~mu247_3
1074+
# 247| r247_11(glval<char *>) = VariableAddress[#return] :
1075+
# 247| v247_12(void) = ReturnValue : &:r247_11, m251_4
1076+
# 247| v247_13(void) = UnmodeledUse : mu*
1077+
# 247| v247_14(void) = AliasedUse : ~mu247_3
1078+
# 247| v247_15(void) = ExitFunction :

cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1026,3 +1026,53 @@ ssa.cpp:
10261026
# 239| v239_5(void) = UnmodeledUse : mu*
10271027
# 239| v239_6(void) = AliasedUse : ~mu239_3
10281028
# 239| v239_7(void) = ExitFunction :
1029+
1030+
# 247| char* VoidStarIndirectParameters(char*, int)
1031+
# 247| Block 0
1032+
# 247| v247_1(void) = EnterFunction :
1033+
# 247| mu247_2(unknown) = AliasedDefinition :
1034+
# 247| mu247_3(unknown) = UnmodeledDefinition :
1035+
# 247| r247_4(glval<char *>) = VariableAddress[src] :
1036+
# 247| m247_5(char *) = InitializeParameter[src] : &:r247_4
1037+
# 247| r247_6(char *) = Load : &:r247_4, m247_5
1038+
# 247| mu247_7(unknown) = InitializeIndirection[src] : &:r247_6
1039+
# 247| r247_8(glval<int>) = VariableAddress[size] :
1040+
# 247| m247_9(int) = InitializeParameter[size] : &:r247_8
1041+
# 248| r248_1(glval<char *>) = VariableAddress[dst] :
1042+
# 248| r248_2(glval<unknown>) = FunctionAddress[operator new[]] :
1043+
# 248| r248_3(glval<int>) = VariableAddress[size] :
1044+
# 248| r248_4(int) = Load : &:r248_3, m247_9
1045+
# 248| r248_5(unsigned long) = Convert : r248_4
1046+
# 248| r248_6(unsigned long) = Constant[1] :
1047+
# 248| r248_7(unsigned long) = Mul : r248_5, r248_6
1048+
# 248| r248_8(void *) = Call : func:r248_2, 0:r248_7
1049+
# 248| mu248_9(unknown) = ^CallSideEffect : ~mu247_3
1050+
# 248| r248_10(char *) = Convert : r248_8
1051+
# 248| m248_11(char *) = Store : &:r248_1, r248_10
1052+
# 249| r249_1(char) = Constant[97] :
1053+
# 249| r249_2(glval<char *>) = VariableAddress[src] :
1054+
# 249| r249_3(char *) = Load : &:r249_2, m247_5
1055+
# 249| r249_4(glval<char>) = CopyValue : r249_3
1056+
# 249| mu249_5(char) = Store : &:r249_4, r249_1
1057+
# 250| r250_1(glval<unknown>) = FunctionAddress[memcpy] :
1058+
# 250| r250_2(glval<char *>) = VariableAddress[dst] :
1059+
# 250| r250_3(char *) = Load : &:r250_2, m248_11
1060+
# 250| r250_4(void *) = Convert : r250_3
1061+
# 250| r250_5(glval<char *>) = VariableAddress[src] :
1062+
# 250| r250_6(char *) = Load : &:r250_5, m247_5
1063+
# 250| r250_7(void *) = Convert : r250_6
1064+
# 250| r250_8(glval<int>) = VariableAddress[size] :
1065+
# 250| r250_9(int) = Load : &:r250_8, m247_9
1066+
# 250| r250_10(void *) = Call : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
1067+
# 250| v250_11(void) = ^SizedBufferReadSideEffect[1] : &:r250_7, r250_9, ~mu247_3
1068+
# 250| mu250_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
1069+
# 251| r251_1(glval<char *>) = VariableAddress[#return] :
1070+
# 251| r251_2(glval<char *>) = VariableAddress[dst] :
1071+
# 251| r251_3(char *) = Load : &:r251_2, m248_11
1072+
# 251| m251_4(char *) = Store : &:r251_1, r251_3
1073+
# 247| v247_10(void) = ReturnIndirection : &:r247_6, ~mu247_3
1074+
# 247| r247_11(glval<char *>) = VariableAddress[#return] :
1075+
# 247| v247_12(void) = ReturnValue : &:r247_11, m251_4
1076+
# 247| v247_13(void) = UnmodeledUse : mu*
1077+
# 247| v247_14(void) = AliasedUse : ~mu247_3
1078+
# 247| v247_15(void) = ExitFunction :

0 commit comments

Comments
 (0)